CentOS monitoring traffic on port

network-monitoringporttraffic

I am looking for a tool to monitor traffic on some ports of a CentOS server.
On this server each service runs on a port from 3000 to 3050 and I would like to compare traffic consumption on these services; like which is the main talker/listener.

/proc/net/dev only give the global amount of bits send and received on the network interface, and not at port level.

Every tool I have found out goofing google provide report on interface level (such like eth0) and none at port level, but I may have not searched enough after all.

Do you guys know any way to do such thing?

Best Answer

Or you could use targetless iptables, which is quite legal and harmless:

iptables -A INPUT -p tcp --dport 3000
iptables -A INPUT -p tcp --dport 3001
...
iptables -A INPUT -p tcp --dport 3050

and

iptables -A OUTPUT -p tcp --sport 3000
iptables -A OUTPUT -p tcp --sport 3001
...
iptables -A OUTPUT -p tcp --sport 3050

Since none of these rules has a target, none of them will change the traffic flow. But each of them will increment its packet and byte counts for each matching packet, so iptables -L -n -v should return something like

15733  933K           tcp  --  * *      0.0.0.0/0      0.0.0.0/0     tcp dpt:3000
5733   133K           tcp  --  * *      0.0.0.0/0      0.0.0.0/0     tcp dpt:3001
...

Note this assumes you aren't using any firewalling right now; if you are, these rules will need to go in the right place in the INPUT and OUTPUT chains, ie, first.

Given the number of ports you're monitoring, you might want to delegate this to a user-defined chain to keep your iptables output sane; but that's an exercise for you!

Related Solutions

Monitoring – Network Traffic Monitoring Techniques

I'm assuming you have a commercial router/switch, it most likely has SNMP which you can combine with MRTG for a nice traffic graph.

How to filter http traffic in Wireshark

Ping packets should use an ICMP type of 8 (echo) or 0 (echo reply), so you could use a capture filter of:

icmp

and a display filter of:

icmp.type == 8 || icmp.type == 0

For HTTP, you can use a capture filter of:

tcp port 80

or a display filter of:

tcp.port == 80

or:

http

Note that a filter of http is not equivalent to the other two, which will include handshake and termination packets.

If you want to measure the number of connections rather than the amount of data, you can limit the capture or display filters to one side of the communication. For example, to capture only packets sent to port 80, use:

dst tcp port 80

Couple that with an http display filter, or use:

tcp.dstport == 80 && http

For more on capture filters, read "Filtering while capturing" from the Wireshark user guide, the capture filters page on the Wireshark wiki, or pcap-filter (7) man page. For display filters, try the display filters page on the Wireshark wiki. The "Filter Expression" dialog box can help you build display filters.

Best Answer

Related Solutions

Monitoring – Network Traffic Monitoring Techniques

How to filter http traffic in Wireshark

Related Topic